You may or may not have noticed, but as of the assessment criteria v2, each release will require at least three reviews as it moves from beta to stable. This reintroduces problems we have had in the past finding reviewers for these projects. In addition, at least one of these reviewers should be from the GPC. Based on the last GPC call on Monday, November 23, I am going to spear-head a drive for centralizing the collection and recruitment of OWASP Project reviewers. The general idea for this is to create a pool of known-good persons that can be pulled in when a reviewer is not supplied by the project lead. There are several phases I am planning to implement in order to streamline this.

+

#Thanks to Paulo, this is already done: Create a sane tracking page where reviewers can register, allowing us to easily find them when needed. You can find a preliminary view of this [http://www.owasp.org/index.php/OWASP_Project_Reviewers_Database#tab=Project_Reviewers.2FVolunteers here].

+

#Launch a campaign to recruit as many reviewers as possible:

+

##Parse the wiki for existing reviewers that have been active in the last 24 months, as them if they are willing to participate in future reviews,

+

##Create a new “how to get involved” page on the wiki with detailed information on what levels of involvement are available within OWASP, to include “Benefits”. “Time commitment”, and “Role” type metrics,

+

## Add information regarding the new review campaign in OWASP media, such as mailing lists, conferences, and the newsletter,

+

#Create a mandatory rotation for all members of the GPC, so that each member will be involved in reviews as they come available.

+

#Create a review template guide so that reviewers have an idea of what is expected of them. A great example of a top notch review can be seen by Matt Tesauro on JbroFuzz 1.7 [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz_Project_-_Version_1.7_Release_-_Assessment#tab=First_Reviewer here] and [https://docs.google.com/Doc?docid=0ATb3QwFMHCXrZGdubjI3ZHNfNWhkejdkY2Rj&hl=en here].

−

|-

+

These are merely early thoughts of how I’d like to see this formulated. Feedback is, as always, welcome.

Latest revision as of 17:38, 26 November 2010

Reviewers Drive Overview

Reviewers drive's goal and methodology explanation

New Drive for Project Reviewers

You may or may not have noticed, but as of the assessment criteria v2, each release will require at least three reviews as it moves from beta to stable. This reintroduces problems we have had in the past finding reviewers for these projects. In addition, at least one of these reviewers should be from the GPC. Based on the last GPC call on Monday, November 23, I am going to spear-head a drive for centralizing the collection and recruitment of OWASP Project reviewers. The general idea for this is to create a pool of known-good persons that can be pulled in when a reviewer is not supplied by the project lead. There are several phases I am planning to implement in order to streamline this.

Thanks to Paulo, this is already done: Create a sane tracking page where reviewers can register, allowing us to easily find them when needed. You can find a preliminary view of this here.

Launch a campaign to recruit as many reviewers as possible:

Parse the wiki for existing reviewers that have been active in the last 24 months, as them if they are willing to participate in future reviews,

Create a new “how to get involved” page on the wiki with detailed information on what levels of involvement are available within OWASP, to include “Benefits”. “Time commitment”, and “Role” type metrics,

Add information regarding the new review campaign in OWASP media, such as mailing lists, conferences, and the newsletter,

Create a mandatory rotation for all members of the GPC, so that each member will be involved in reviews as they come available.

Create a review template guide so that reviewers have an idea of what is expected of them. A great example of a top notch review can be seen by Matt Tesauro on JbroFuzz 1.7 here and here.

These are merely early thoughts of how I’d like to see this formulated. Feedback is, as always, welcome.

Code Compliance, Static Secure Code Analysis, Top 10, Reverse Engineering, Dynamic Analysis, Malware Research, Network Enumerations, or anything of interest of OWASP in Information Security that makes an impact in bringing awareness to IT in the field of Security Science